FEATURE31 July 2023
Naming the end client: GDPR and data privacy
x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.
FEATURE31 July 2023
x Sponsored content on Research Live and in Impact magazine is editorially independent.
Find out more about advertising and sponsorship.
Kaleke Kolawole, policy manager at MRS, explores whether you need to name the client when conducting research, as well as the challenges of doing so.
It is a conundrum, we know. Do you need to name the client when conducting research? What are the challenges of doing so and are there any exemptions?
The MRS Code of Conduct states that ‘members must disclose the identity of clients where there is a legal obligation to do so’, and states that ‘where files of identifiable individuals are used – e.g., client databases – members must ensure that the source of the personal data is revealed at an appropriate point in the data collection’.
There is an obligation to name a commissioning client in three main scenarios:
Additionally, the identity of the client must be revealed when data collection is undertaken if clients require personal data from a project.
First, what is a data controller?
The data controller determines the purposes for which, and the means by which, personal data is processed. If your company/organisation decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. The UK General Data Protection Regulation (GDPR) draws a distinction between a ‘controller’ and a ‘processor’ to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility.
The UK GDPR defines these terms:
If you are a controller, you are responsible for complying with the UK GDPR – you must be able to demonstrate compliance with the data protection principles and take appropriate technical and organisational measures to ensure your processing is carried out in line with the UK GDPR.
Naming the end client
The determination of who is a controller (DC), joint controller (JDC), data processor (DP) or third party is a question of fact rather than contractual stipulation. It is based on a determination of the purposes and means of the processing and, essentially, the level of decision-making power exercised.
Depending on the type of research project, a client may be a third party, sole data controller or joint data controller in line with the level of autonomy and responsibility the client exercises over the personal data being collected.
Similarly, a research supplier may be a processor, joint controller or sole controller. Importantly, it should be noted that receiving personal data is not the only measure for determining if you are a controller in a research project. If you set a purpose – for example, issue a commercial question to a researcher – you are rendered a controller. The key to determining the status of each party in research data collection is knowing the level of control exercised and understanding where the decision-making authority is held.
Numerous legal cases have tested whether access to identifiable data is key to determining whether a controller relationship exists. These cases have determined that an entity does not need to have access to personal data to be considered a controller. It is enough if a business determines the purposes and means of processing, has influence on the processing by causing the processing of personal data to start (and being able to make it stop), or receives the anonymous statistics based on personal data collected and processed by another entity.
What are the challenges with naming the client?
We acknowledge that naming the end client is not a favourable position to commissioners. It can erode the principle of ‘confidentiality’, introduce bias and reduce the robustness of a research project. Naming the client can also:
Are there any exemptions?
Article 13 of the GDPR states ‘where personal data relating to a data subject are collected from the data subject, the controller shall, at the time when personal data are obtained, provide the data subject with: the identity and contact details of the controller and, where applicable, of the controller’s representative’.
There is no exemption or derogation from the legal obligation to name a controller – it is an absolute requirement to provide transparent information about controllers to data subjects and is in line with the GDPR principles of ‘fairness’ and ‘transparency’. However, we consider that there is some flexibility at the point at which a controller must be named.
We interpret the requirements in the GDPR on naming the data controller as providing some leeway on the point in time when the controller must be named. It is important that the data controller is named as part of the single process of collecting personal data, but this may be more appropriately done at the end, rather than at the beginning, of a survey.
This approach is most appropriate when no personal data is being shared with the end client, but researchers may also consider using it in other circumstances.
Kaleke Kolawole is policy manager at the Market Research Society
This article was first published in the July 2023 issue of Impact
0 Comments